Re: [Full-Disclosure] Vulnerability response times -- MS and others

[Szilveszter Adam <adam@xxxxxx>]

hggdh wrote:

> Anyways... the report seems to indicate that Microsoft is the fastest
> on solving security issues.
>
> Comments?

While not reading the report does not allow me to make qualified 
comments (and the statements for/by the press that are to be quoted in 
the news headlines are to be taken with extreme amount of salt), I'd 
wager that this is one more result of the latter-day MS push to 
establish their security propaganda PR-wise. While there is some tech 
details to it that has merit, they usually do not talk to the press (or 
conference attendees or the like) about that since that would throw most 
 people off by immersing them in details that are waaay above their 
heads and also leave them with the gaping suspicion that nothing is 
truly secure, when what they want is the *belief* that once they do this 
or that they will be secure from all threats. So in these venues, MS has 
adopted the following stance (I know because I managed to observe this 
live at an IDC-organised road show here in Budapest some weeks ago):

- They now send someone who has "security" somewhere in his title to 
these events. No more marketing execs or product managers.
- No more inflammatory rheotric about eg the GPL being un-American or a 
"cancer" or a threat to national security. Semmingly calm and 
professional tone, uninterested in OS wars.
- Cite external reviews about how important security in general is. Do 
not miss out on viruses, worms, crack attempts, not even on "insider 
jobs" in organisations.
- Cite external reviews on how malware authors for ex are no longer 
doing it for the fun and the fame but for material gain.
- Explain how hard MS has been pushing security since the last nn years, 
citing the BG memo of "stop all coding and go to security bootcamp" as 
example (still) Cite stats to show how the results of this are already 
showing for w2k3.
- Use hand-weaving to signal in the general direction of some 
technologies that will appear in the next generation of windows. No 
details, no controversial issues, no explanations.
- Use scenarios to show how these technologies will be better protecting 
you from some of *today's* *known* threats (and do not even mention that 
those threats might be totally or largely unimportant by the time. Think 
boot-sector viruses)
- Inidicate that with MS, there is a team that you can trust and not 
some random hacker in China who will commit some sneak fix after 
midnight. (I think the "Chinese hacker" part is especially effective - 
outside of China of course, there they probably use something else like 
"some unknown US hacker" :-) - because of the "latent fear of the 
unknown" factor, even playing with racist sentiments in the meantime)
- For good measure they throw in some fake stats like the "how many 
advisories does RH have for things like setgid games priviledge 
elevation in frozen bubble?" implying that on RH, those too are part of 
the base offering that RH sells, unlike with windows third-party 
software. They know and like the mi2g report too.
- The "trust us, we are pros" attitude usually works: since people still 
often think that malware etc is like the rain: a fact of life that you 
have to accept as is and there is no protection against it, they will be 
content to know that somebody will be selling automatic umbrellas in 
nice colors. If somebody stands up and poses (or tries to) tough 
questions at this point, he will look like an extremist and not believed to.

It works. Works much better than when Mr. Ballmer went on record flaming 
against open-source. It is a challange to counter it.

Regards:
Sz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html